Claude Chrome extension flaw lets malicious add-ons hijack AI actions
6 min. read 
Published on
A flaw in Anthropic’s Claude in Chrome extension can let a malicious Chrome extension hijack Claude’s browser agent and push it into accessing sensitive data from Gmail, Google Drive, and private GitHub repositories.
The issue, called ClaudeBleed by LayerX, does not require a powerful browser extension with broad permissions. Researchers say even a minimal extension with no special permissions can abuse Claude’s trusted communication path.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The risk comes from a trust boundary mistake. Claude in Chrome trusted scripts running on claude.ai, but it did not properly verify who caused those scripts to run inside that trusted origin.
How the ClaudeBleed attack works
LayerX says the Claude extension exposed a privileged message interface through Chrome’s externally_connectable setting. That setting can allow web pages or extensions to communicate with a browser extension.
The problem was not that externally_connectable exists. The problem was how trust was applied. The extension trusted the claude.ai origin, but it did not verify the real execution context behind the message.
A malicious extension could inject a script into the claude.ai page context and send commands that appeared to come from a trusted Claude page. Claude then processed those instructions through its browser automation workflow.
At a glance
| Item | Details |
|---|---|
| Vulnerability name | ClaudeBleed |
| Affected product | Claude in Chrome extension |
| Researcher | LayerX |
| Reported to Anthropic | April 27, 2026 |
| Patch version discussed | Version 1.0.70, released May 6, 2026 |
| Main risk | AI agent hijacking, data exfiltration, email actions, document sharing, and GitHub code theft |
Why a zero-permission extension can still be dangerous
Chrome extensions usually need permissions to read websites, access tabs, or interact with sensitive browser data. That model can make users assume a zero-permission extension is safe.
LayerX’s research shows why that assumption can fail when an AI browser agent trusts the wrong signal. The malicious extension does not need to directly steal Gmail or Drive data itself.
Instead, it can instruct Claude to perform actions through the user’s active browser session. In that setup, Claude becomes what security researchers call a confused deputy: a trusted tool doing the attacker’s work.
What attackers could make Claude do
LayerX demonstrated several attack scenarios. The malicious extension could make Claude access a Google Drive folder and share a file with an external user.
Researchers also showed that Claude could send emails, summarize recent Gmail messages, send those summaries to an attacker-controlled recipient, and delete evidence from the sent folder.
The same trust issue could also expose private GitHub repositories. For developers and businesses, that could mean source code leakage, project disclosure, and exposure of internal engineering work.
Why Claude’s guardrails were not enough
Claude uses approval prompts for some sensitive actions. However, LayerX says those prompts could be bypassed through repeated approval messages, such as repeatedly sending confirmation-style input.
The researchers also described perception manipulation. In this technique, an attacker changes visible page text or DOM elements so Claude interprets a risky action as something harmless.
For example, a button that performs a sensitive action can be renamed in the page interface. Claude may then act on what it sees, while the real browser action still performs the original sensitive operation.
Attack techniques described by researchers
| Technique | How it helps attackers |
|---|---|
| Origin trust abuse | The malicious script runs inside claude.ai, which the extension already trusts. |
| Remote prompt injection | The attacker sends prompts to Claude through the extension’s trusted message flow. |
| Approval looping | The attacker repeatedly sends confirmation-style prompts to satisfy approval flows. |
| DOM manipulation | The attacker changes visible labels and page structure to mislead Claude’s perception. |
| Privileged mode abuse | Researchers say version 1.0.70 checks could be bypassed when the extension moved into privileged mode. |
Anthropic’s patch did not fully close the issue, researchers say
LayerX reported the flaw to Anthropic on April 27, 2026. Anthropic released extension version 1.0.70 on May 6, adding extra approval flows and checks for standard browser actions.
LayerX says the update reduced some risk, but did not remove the root cause. The externally_connectable message handler remained, and the added checks focused on standard mode behavior.
The researcher says attackers could still switch the extension to privileged mode and run the same class of commands without a clear user approval prompt. CSO Online also reported that Anthropic had not immediately responded to its request for comment.
Why this matters for businesses
AI browser agents are more powerful than normal extensions because they can understand pages, click buttons, read content, and act across logged-in web apps.
That makes them useful for productivity, but it also gives them a larger blast radius when attackers can manipulate their instructions or perception.
For businesses, the danger extends beyond personal browsing. If employees use Claude in Chrome while logged into company Gmail, Google Drive, GitHub, Jira, or other SaaS platforms, a malicious extension could turn the agent into an indirect data theft tool.
What users and admins should do
Users should update Claude in Chrome to the latest available version and review whether they need the extension enabled at all. They should also remove any browser extensions they do not recognize or no longer use.
Administrators should limit unapproved Chrome extensions through enterprise policies. They should also review whether AI browser agents can access sensitive SaaS apps without additional controls.
Security teams should watch for unusual Google Drive sharing, unexpected sent emails, deleted Gmail messages, and abnormal GitHub repository access after employees install new extensions.
- Update Claude in Chrome to the newest available version.
- Disable Claude in Chrome when it is not needed.
- Remove unknown or unnecessary Chrome extensions.
- Restrict extension installation through Chrome Enterprise policies.
- Monitor Gmail, Drive, and GitHub for unusual actions.
- Review whether AI agents should run in privileged browser modes.
- Separate high-risk admin accounts from AI browsing workflows.
What a stronger fix should include
LayerX recommends that AI browser extensions verify more than the origin of a message. They should validate the sender identity and bind sensitive approvals to specific actions.
Strong remediation would include signed extension-to-page requests, stricter externally_connectable settings, one-time approval tokens, and non-replayable flows.
This incident shows that AI agents need security models built around intent, identity, and context. A browser agent that can act across Gmail, Drive, and GitHub should not trust a command just because it appears inside a familiar origin.
FAQ
ClaudeBleed is a vulnerability reported by LayerX in the Claude in Chrome extension. It can let a malicious Chrome extension hijack Claude’s trusted browser agent actions.
LayerX says a minimal extension can inject JavaScript into the claude.ai page context and send messages through Claude’s trusted communication path, even without special browser permissions.
Researchers demonstrated scenarios involving Gmail messages, Google Drive files, private GitHub source code, sent emails, deleted emails, and document sharing actions.
Anthropic released version 1.0.70 on May 6, 2026. LayerX says the update added checks but did not fully fix the root cause because privileged mode could still bypass the new protections.
Users should update Claude in Chrome, disable it when not needed, remove unknown extensions, avoid privileged browser-agent modes, and monitor Gmail, Drive, and GitHub for unusual activity.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages